<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
  <head>
    <title>Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade</title>
    <meta name="generator" content="Muse">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    
    <link rel="stylesheet" type="text/css"charset="utf-8" media="all" href="../styles/common.css"  />

    <script src="../scripts/jsMath/easy/load.js"></script>
  </head>

  <body>

    <h1>Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade
      <!-- menu start here -->
      <div class="menu">
        <div class="menuitem">
          <a href="../home/index.html">Home</a>
        </div>
        <div class="menuitem">
          <a href="../courses/index.html">Courses</a>
        </div>
        <div class="menuitem">
          <a href="../projects/index.html">Projects</a>
        </div>
        <div class="menuitem">
          <a href="../complang/index.html">CompLang</a>
        </div>
        <div class="menuitem">
          <a href="../code/index.html">CodeReading</a>
        </div>
        <div class="menuitem">
          <a href="../software/index.html">Software</a>
        </div>
        <div class="menuitem">
          <a href="../lectures/index.html">Lectures</a>
        </div>
      </div>
      <!-- menu ends here -->

    </h1>


    <!-- Page published by Emacs Muse begins here -->

<p>The paper mainly talks about buffer overflow attack techniques and
sells two projects StackGuard and PointGuard, which both aim at
protecting stack from buffer overflow attack.</p>

<h2>Attack techniques</h2>

<p class="first">As to attack techniques, it mentions three kinds of locations where
the code buffer may occupy:</p>

<ul>
<li>stack</li>
<li>heap</li>
<li>static data area</li>
</ul>

<p>And three common ways to launch the code:</p>

<ul>
<li>activation record. That is by modifying saved return eip in the
stack. Just like what we do in ICS Lab2.</li>
<li>function pointers. For example, buffer overflow of a char array in
a struct, may be able to modify function pointers in the same
struct, or in another struct.</li>
<li>longjmp buffers. Modify the target address of longjmp function.</li>
</ul>


<h2>Defence</h2>

<p class="first">This paper presents StackGuard and PointGuard. So I'll skip the
irrelate part, like how to write safe code and other mechanisms like
non-executable buffers.</p>

<h3>StackGuard</h3>

<p class="first">The main idea of StackGuard is to add canary (a type of check string)
in between the return eip and stack local variables, the canary can be
a magic number determined at compile-time, or random number generated
at run-time.</p>


<h3>PointGuard</h3>

<p class="first">StackGuard has one serious limitation that it can only protect return
eip on the stack. Similar to StackGuard, PointGuard also takes
advantage of canaries. The canaries are put next to all code pointers
(including function pointers and longjmp pointers), and check their
validity when ever a code pointer is dereferenced.</p>




<!-- Page published by Emacs Muse ends here -->
<hl />
<p />
<!-- <center> -->
<!--   Updated at  -->
<!--   2010-02-27 -->
<!-- </center> -->

<script type="text/javascript">
  var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
  document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
  try {
  var pageTracker = _gat._getTracker("UA-2241833-12");
  pageTracker._trackPageview();
  } catch(err) {}</script>

</body>
</html>

